Pierluigi Paganini July 18, 2022

Cybercriminals released a new MLNK Builder 4.2 tool for malicious shortcuts (LNK) generation with an improved Powershell and VBS Obfuscator

Resecurity, Inc. (USA), a Los Angeles-based cybersecurity company protecting Fortune 500 worldwide, has detected an update of one of the most popular tools used by cybercriminals to generate malicious LNK files, so frequently used for malicious payloads delivery nowadays.

MLNK Builder has emerged in Dark Web with the new version (4.2) and the updated feature-set focused on AV evasion and masquerading with icons of popular legitimate applications and file formats.

“Why Attackers Use LNK File? Such files typically look legitimate, and may have an icon the same as an existing application or document. The bad actors incorporate malicious code into LNK files (e.g. Powershell scenario) allowing the execution of the payload on the target machine.” reads the post published by Resecurity.

The spike of notable campaigns involving malicious shortcuts (LNK files) conducted by both APT groups and advanced cybercriminals has been detected in April-May period this year – Bumblebee Loader and UAC-0010 (Armageddon) targeting EU Countries described by CERT UA. Malicious shortcuts continue to give a hard time for network defenders, especially, in combating global botnet and ransomware activity using them as a channel for multi-staged payload delivery.

“We observed a campaign that delivered Bumblebee through contact forms on a target’s website. The messages claimed that the website used stolen images and included a link that ultimately delivered an ISO file containing the malware.” continues the post. “Resecurity attributed this campaign to another threat actor the company tracks as TA578 and has done since May 2020. TA578 uses email campaigns to deliver malware like Ursnif, IcedID, KPOT Stealer, Buer Loader, and BazaLoader, as well as Cobalt Strike.”

According to experts from Resecurity, existing customers of MLNK Builder will receive an update for free, but the authors have also released a “Private Edition” available for a tight circle of vetted customers or additional license in $125 per build.

The updated tool provides a rich arsenal to generate malicious files looking like legitimate Microsoft Word, Adobe PDF, ZIP Archives, images .JPG/.PNG, audio MP3, and even video .AVI files. as well as more advanced features to obfuscate malicious payload.

Bad actors continue to develop more creative ways to trick detection mechanisms and deliver malicious payloads – by leveraging a combination of extensions and different file formats, as well as Living Off the Land Binaries (LOLbins).

According to Resecurity, the most actively used malware families leveraging LNK-based distribution are TA570 Qakbot (aka Qbot), IcedID, AsyncRAT, and the new strain of Emotet. The most recent Qakbot distribution campaign also included malicious Word documents using the CVE-2022-30190 (Follina) zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT).

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, MLNK Builder)

[adrotate banner=”5″]

[adrotate banner=”13″]